Soon after that, users started reporting when they clicked on an HTTP link inside a page, they would end up redirected through the lnkr.us service to their desired destination, which in half the cases would also open an extra page showing various types of ads. This allowed the author to monetize his extension, but also to collect analytics on users, which he could later sell to online advertisers.

Users reported this happening since March 23, 2016. Confronted by angry users on the extension’s GitHub repo, the extension’s original author said he sold the extension to an unnamed company two months ago, since version 3.9.5.

Originally, Better History was a Chrome extension that added extra filters to the user’s Chrome History section to make it easier to view and find pages accessed in the past.

As it was later discovered, the extension’s new owners stopped adding changes to the extension’s GitHub repository, making it look to everyone like the extension never changed, but they secretly added malicious code ever since they bought the add-on.

One of the things they introduced was a new script called “common.js,” which installs a proxy extension on the user’s browser, used to redirect Chrome traffic.